peng.jianhua commented on KYLIN-2703:

Hi [~liyang.g...@gmail.com], thanks a lots.

> kylin supports managing access rights for project and cube through apache 
> ranger.
> ---------------------------------------------------------------------------------
>                 Key: KYLIN-2703
>                 URL: https://issues.apache.org/jira/browse/KYLIN-2703
>             Project: Kylin
>          Issue Type: New Feature
>          Components: General
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>              Labels: newbie, patch
>         Attachments: 
> 0001-KYLIN-2703-kylin-supports-managing-access-rights-for.patch, 
> KylinAuditLog.jpg, KylinPlugins.jpg, KylinPolicies.jpg, 
> KylinServiceEntry.jpg, NewKylinPolicy.jpg, NewKylinService.jpg, 
> Ranger-PMS-hope.png
> Ranger is a framework to enable, monitor and manage comprehensive data 
> security across the Hadoop platform. Apache Ranger has the following goals:
> 1. Centralized security administration to manage all security related tasks 
> in a central UI or using REST APIs.
> 2. Fine grained authorization to do a specific action and/or operation with 
> Hadoop component/tool and managed through a central administration tool
> 3. Standardize authorization method across all Hadoop components.
> 4. Enhanced support for different authorization methods - Role based access 
> control, attribute based access control etc.
> 5. Centralize auditing of user access and administrative actions (security 
> related) within all the components of Hadoop.
> Ranger has supported enable, monitor and manage following components:
> 1. HDFS
> 2. HIVE
> 3. HBASE
> 4. KNOX
> 5. YARN
> 6. STORM
> 7. SOLR
> 8. KAFKA
> 9. ATLAS
> In order to improve the flexibility of kylin privilege control and enhance 
> value of kylin in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase, 
> Kylin should also support that using Ranger to control access rights for 
> project and cube. 
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item.  1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/RANGER-1672

This message was sent by Atlassian JIRA

Reply via email to